fix(server): use explicit STS credentials for iceberg secret #1467
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-24.04-arm | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.0 | |
| - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 | |
| with: | |
| version: v2.11.4 | |
| controlplane-no-libduckdb: | |
| name: Verify cmd/duckgres-controlplane does not link libduckdb | |
| runs-on: ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Build cmd/duckgres-controlplane (default tags) | |
| run: go build ./cmd/duckgres-controlplane/... | |
| - name: Build cmd/duckgres-controlplane (-tags kubernetes) | |
| run: go build -tags kubernetes ./cmd/duckgres-controlplane/... | |
| # Lock in the binary-split goal: cmd/duckgres-controlplane must remain | |
| # free of github.com/duckdb/duckdb-go in its transitive import graph, | |
| # both with and without the kubernetes build tag. If this guard breaks, | |
| # someone added an import that pulls libduckdb into the CP build — | |
| # likely via a server/* leaf that grew a duckdb-go dependency. Find | |
| # the offending package with `go list -deps -json ./cmd/duckgres-controlplane` | |
| # and route around it (subpackage extraction, registration hook, or | |
| # interface boundary) rather than relaxing this check. | |
| - name: go list -deps controlplane is duckdb-free (default tags) | |
| run: | | |
| set -euo pipefail | |
| if go list -deps ./cmd/duckgres-controlplane | grep -F "github.com/duckdb/duckdb-go"; then | |
| echo "::error::cmd/duckgres-controlplane transitively imports duckdb-go (default tags)" >&2 | |
| exit 1 | |
| fi | |
| if go list -deps ./controlplane | grep -F "github.com/duckdb/duckdb-go"; then | |
| echo "::error::controlplane package transitively imports duckdb-go (default tags)" >&2 | |
| exit 1 | |
| fi | |
| - name: go list -deps controlplane is duckdb-free (-tags kubernetes) | |
| run: | | |
| set -euo pipefail | |
| if go list -tags kubernetes -deps ./cmd/duckgres-controlplane | grep -F "github.com/duckdb/duckdb-go"; then | |
| echo "::error::cmd/duckgres-controlplane transitively imports duckdb-go (-tags kubernetes)" >&2 | |
| exit 1 | |
| fi | |
| if go list -tags kubernetes -deps ./controlplane | grep -F "github.com/duckdb/duckdb-go"; then | |
| echo "::error::controlplane package transitively imports duckdb-go (-tags kubernetes)" >&2 | |
| exit 1 | |
| fi | |
| unit-tests: | |
| runs-on: ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up just | |
| uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Run unit tests | |
| run: just test-unit | |
| integration-tests: | |
| needs: unit-tests | |
| runs-on: ubuntu-24.04-arm | |
| services: | |
| # PostgreSQL for comparison tests | |
| postgres: | |
| image: public.ecr.aws/docker/library/postgres:16-alpine | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: testdb | |
| ports: | |
| - 127.0.0.1:35432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| # DuckLake metadata store | |
| ducklake-metadata: | |
| image: public.ecr.aws/docker/library/postgres:16-alpine | |
| env: | |
| POSTGRES_USER: ducklake | |
| POSTGRES_PASSWORD: ducklake | |
| POSTGRES_DB: ducklake | |
| ports: | |
| - 127.0.0.1:35433:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up just | |
| uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Build | |
| run: go build -o duckgres . | |
| - name: Start MinIO | |
| run: | | |
| docker run -d --name minio \ | |
| -p 39000:9000 \ | |
| -e MINIO_ROOT_USER=minioadmin \ | |
| -e MINIO_ROOT_PASSWORD=minioadmin \ | |
| quay.io/minio/minio:latest server /data | |
| # Wait for MinIO to be ready | |
| for i in {1..30}; do | |
| curl -sf http://localhost:39000/minio/health/live && break | |
| sleep 1 | |
| done | |
| - name: Create MinIO bucket | |
| run: | | |
| # Install mc client | |
| curl -sL https://dl.min.io/client/mc/release/linux-arm64/mc -o /tmp/mc | |
| chmod +x /tmp/mc | |
| # Configure and create bucket | |
| /tmp/mc alias set minio http://localhost:39000 minioadmin minioadmin | |
| /tmp/mc mb minio/ducklake --ignore-existing | |
| - name: Run integration tests | |
| run: just test-integration | |
| controlplane-tests: | |
| needs: unit-tests | |
| runs-on: ubuntu-24.04-arm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up just | |
| uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Run control plane tests | |
| run: just test-controlplane | |
| configstore-integration-tests: | |
| needs: unit-tests | |
| runs-on: ubuntu-24.04-arm | |
| services: | |
| postgres: | |
| image: public.ecr.aws/docker/library/postgres:16-alpine | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: testdb | |
| ports: | |
| - 127.0.0.1:35432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up just | |
| uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Run config store integration tests | |
| run: just test-configstore-integration | |
| controlplane-k8s-tests: | |
| needs: unit-tests | |
| runs-on: ubuntu-24.04-arm | |
| services: | |
| postgres: | |
| image: public.ecr.aws/docker/library/postgres:16-alpine | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: testdb | |
| ports: | |
| - 127.0.0.1:35432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up just | |
| uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Run Kubernetes-tagged control plane package tests | |
| run: just test-controlplane-k8s | |
| k8s-integration-tests: | |
| needs: unit-tests | |
| runs-on: ubuntu-24.04-arm | |
| timeout-minutes: 30 | |
| env: | |
| DUCKGRES_KIND_CLUSTER_NAME: duckgres | |
| DUCKGRES_KIND_NODE_IMAGE: kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 | |
| services: | |
| postgres: | |
| image: public.ecr.aws/docker/library/postgres:16-alpine | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: testdb | |
| ports: | |
| - 127.0.0.1:35432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up just | |
| uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6 # v2.0.0 | |
| - name: Set up Go | |
| uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install kind | |
| env: | |
| KIND_VERSION: v0.24.0 | |
| run: | | |
| curl -sSL -o /tmp/kind "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-arm64" | |
| chmod +x /tmp/kind | |
| sudo mv /tmp/kind /usr/local/bin/kind | |
| kind --version | |
| - name: Clear Docker Hub credentials for kind pulls | |
| run: | | |
| docker logout registry-1.docker.io || true | |
| docker logout docker.io || true | |
| docker logout https://index.docker.io/v1/ || true | |
| - name: Pre-pull kind node image | |
| run: | | |
| for attempt in 1 2 3; do | |
| if docker pull "${DUCKGRES_KIND_NODE_IMAGE}"; then | |
| exit 0 | |
| fi | |
| sleep $((attempt * 5)) | |
| done | |
| exit 1 | |
| - name: Run Kubernetes integration tests | |
| run: just test-k8s-integration |